CVE-2013-6021
published 2013-10-19CVE-2013-6021: Buffer overflow in WGagent in WatchGuard WSM and Fireware before 11.8 allows remote attackers to execute arbitrary code via a long sessionid value in a cookie.
PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
12.20%
95.7th percentile
Buffer overflow in WGagent in WatchGuard WSM and Fireware before 11.8 allows remote attackers to execute arbitrary code via a long sessionid value in a cookie.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| watchguard | fireware | <= 11.7.4 | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIMQJdYHfas030mQKusPQWVoEPLKK5wtKOKOkOnkMM4HkO9okOoOePXpwuuXOsJgs4LMbWUTk1KNs04PUXeXD4tKTyvgQeZNGIaOgtptC78kM7X8VXGK6fWxnmPGL0MkzTKoVegxmYneidKNKOkO9WK5HxkNYoyoUPuP7pGpNkCpvlk9k5UPIoKO9oLKnmL4KNyoKOlKk5qx9nioioLKNuRLKNioYoMY3ttdc4NipTq4VhMYTL14NazLxPERuP30oqzMn0G54OuPmkXtyOeUtHlKsevhnkRrc8HGW47TeTwpuPEPgpNi4TwTMnNpZyuTgxKOn6K90ELPNkQU7xLKg0r4oyctQ45TlMK35EISKOYoMYWt14MnppMfUTWxYohVk3KpuWMY0Empkw0ENXwtgpuPC0lKbenpLKSpF0IWPDQ4Fh30s0Wp5PlMmCrMo3KO9olIpTUts4nic44dMnqnyPUTTHKOn6LIbeLXSVIW0EMvVb5PKw3uNt7pgpWpuPiWpEnluPWpwpGpOO0KzN34S8kOm7A
bytes↗
\x8b\x41\x24\x29\xd0\x83\xc0\x40\x83\xe8\x35
- →Detect oversized sessionid cookie values in HTTP requests to /agent/ping on port 8080 (SSL); a sessionid value exceeding 120 characters (and especially 140+) is anomalous and indicative of exploitation. ↗
- →Detect HTTP requests to /agent/ping with abnormally large User-Agent headers (e.g., >1800 bytes) combined with a Cookie header containing a sessionid field, targeting WatchGuard WGagent on port 8080. ↗
- →Detect HTTP requests to /agent/ping with an Accept-Encoding header padded with large amounts of repeated bytes (e.g., 'b' x 1386), which is used to position shellcode in the exploit. ↗
- →The exploit targets WatchGuard Fireware/WSM versions before 11.8; version fingerprinting of WGagent can help identify vulnerable instances. ↗
- ·The exploit hardcodes a target IP (192.168.60.200) and port (8080) for the WatchGuard XTM web console; real-world deployments may use different ports or IPs. Detection rules should not rely solely on these values. ↗
- ·The shellcode is alpha2-encoded to avoid bad characters (null bytes, control characters, spaces, quotes, ampersands, semicolons, and cookie delimiters); signature-based detection must account for this encoding and cannot rely on raw shellcode bytes alone. ↗
- ·The exploit uses SSL (IO::Socket::SSL) for all communications; network-level detection requires SSL/TLS inspection to inspect cookie and header contents. ↗
- ·The exploit uses a two-phase heap massage approach (step1: non-overflowing sessionid of 120 'A's to shape the heap; step2: overflowing sessionid of 140 bytes + 2-byte overwrite); detection must consider both request patterns. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/98752http://watchguardsecuritycenter.com/2013/10/17/watchguard-dimension-and-fireware-xtm-11-8/http://watchguardsecuritycenter.com/2013/10/17/xtm-11-8-secfixes/http://www.exploit-db.com/exploits/29273http://www.kb.cert.org/vuls/id/233990http://www.securityfocus.com/bid/63227https://funoverip.net/2013/10/watchguard-cve-2013-6021-stack-based-buffer-overflow-exploit/http://osvdb.org/98752http://watchguardsecuritycenter.com/2013/10/17/watchguard-dimension-and-fireware-xtm-11-8/http://watchguardsecuritycenter.com/2013/10/17/xtm-11-8-secfixes/http://www.exploit-db.com/exploits/29273http://www.kb.cert.org/vuls/id/233990http://www.securityfocus.com/bid/63227https://funoverip.net/2013/10/watchguard-cve-2013-6021-stack-based-buffer-overflow-exploit/
2013-10-19
Published